Internet Insecurity: Shopify Hit with Data Breach

As if conducting business over the internet weren’t challenging enough, there is a new, critical factor to consider. On Sept. 23, customers of online retailers Thrive Cosmetics were informed through an email that the sales platform they use to process transactions had experienced a data breach about one week earlier. That platform is Shopify.

Started in 2004, Shopify originally targeted sales of snowboarding gear. Now it has grown into one of the most prominent sales platforms, hosting more than 325,000 online shops for both individual sellers and huge companies like Google and Tesla.

Being big has its ups and downs. You can count security issues as a down, especially when the etiquette of online security and fraud procedures are still essentially in development. When mega-retailers such as Target joined banking giant Capitol One, food delivery service DoorDash, and even credit reporting agency Equifax as victims to one of a series of massive data breaches exposing various ranges of customer information, each responded in a manner ranging from timely to unacceptably delayed. The public and media outlets took rightfully gratuitous swipes.

Shopify’s recent breach raises questions of whether there has been transparency at all. The company has not responded to media inquiries for further details on how many customers were affected and what level of data was exposed. Shopify ultimately confirmed the breach more than a week after it happened, explaining that two “rogue members” lifted customer data from at least 100, but less than 200, merchants.
​
Information released indicates that only names, addresses, and order details were accessed. But follow-up reporting and information from merchants shows the last four digits of credit cards were included in the breach.

Though they did forward information to the FBI, questions remain about their forthrightness with the merchants whose customers may be impacted. Thrive Cosmetics’ email mirrored claims that only limited information was made public, but user comments on Shopify’s community page insist that their cards were in fact used fraudulently following the breach. This can’t be confirmed until a full investigation has been completed, though it is entirely possible. Past breaches have led to fraudulent card usage. There may be additional factors making that possible which are out of the control of the company hit with a breach.

Most troubling is the lack of seriousness and willingness to be forthcoming on the websites of both Shopify and many of its merchants who were targeted. Thrive Cosmetics responded to an inquiry by indicating that the breach is mentioned under its “Customer Service” page. Yet shoppers would first have to know a breach had occurred, and know that they need to navigate there. That seems at best inefficient, since customers whose last purchases were in the past and may no longer use the email address attached to their order probably would have no idea.

What does this mean for online sellers? If you use Shopify – or any other platform – you should review your contract and ensure that you will receive prompt and complete information if there is any type of a security breach. Your customers will not feel better knowing that it was not your fault, and you may suffer guilt by association.

Follow the steps taken by Thrive Cosmetics if you are notified of any level of security breach, no matter how small. You will generate trust among your clientele and position yourself to keep them as loyal shoppers.
​
For more information on the Shopify breach, see this piece by MarketWatch.